Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Tines connector #143505

Merged
merged 54 commits into from
Nov 14, 2022
Merged

[Security Solution] Tines connector #143505

merged 54 commits into from
Nov 14, 2022

Conversation

semd
Copy link
Contributor

@semd semd commented Oct 18, 2022
edited
Loading

Summary

Issue: #140066
Doc: https://docs.google.com/document/d/14BY-6CIin1CUH5bwJJgfrGl37hWO-CeNMdl_35agpvk/edit?usp=sharing

Create a new connector type that offers low friction/low effort approach to augmenting Elastic capabilities with SOAR capabilities of Tines.

Implementation

Tines connector implements subActionConnector. With 4 subActions configured:

  • stories: Retrieves the User available Story objects from Tines, to render the Story selector options in the params form. It uses the email and token authentication headers from the configuration.
    It is requested only when the form opens and when the connector instance changes.

  • webhooks: Retrieves the Story available Webhooks objects from Tines, to render the Webhook selector in the params form. It uses the email and token authentication headers from the configuration and the story_id parameter.
    There is no filter for type in the actions (a.k.a. agents) endpoint, so we have to request all actions and filter them by type === 'Agents::WebhookAgent' on our side.
    It is requested every time the selected story changes.

  • run: The main action execution. It sends the alerts to the Tines configured webhook, using webhook' path and secret values. There's no template to render, the data coming from the execution is just pruned (the kibana entry is removed from all context.alerts) and sent directly using the same format to Tines.

  • test: The test form execution. It ends up calling run but using a parametrized body.

Pagination

Both stories and webhooks subActions need pagination, since Tines do not expose any search endpoint for them. The current hard limit is 100 pages. The paginatedRequest function in the connector implementation encapsulates this logic.

Testing

1- Create a Tines free account.

2- Create a new Story and attach a Webhook Action to start receiving events.

3- Create an API token

4- Configure the Tines Connector in Kibana using the Tines tenant URL that has been generated in the Tines app, the email used to sign in, and the API token generated. docs

5- Attach the Tines Connector to a Detection Rule, selecting the Story and Webhooks created. docs

6- After each rule execution, events should appear in the Tines webhook action.

Screenshots

Configure a Tines connector

tines_connector_selection

tines_connector_config

Use the Tines connector

tines_rule_action

tine_params_form

Tines events

tines_events

Checklist

Delete any items that are not applicable to this PR.

@semd semd added Team:Threat Hunting Security Solution Threat Hunting Team release_note:feature Makes this part of the condensed release notes Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework Team:Threat Hunting:Explore v8.6.0 labels Oct 18, 2022
@semd semd self-assigned this Oct 18, 2022
@semd semd marked this pull request as ready for review October 20, 2022 14:36
@semd semd requested a review from a team as a code owner October 20, 2022 14:36
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@semd semd requested a review from a team as a code owner October 20, 2022 17:12
@semd
Copy link
Contributor Author

semd commented Oct 24, 2022

@elasticmachine merge upstream

cnasikas
cnasikas reviewed Nov 8, 2022
View reviewed changes
docs/management/connectors/action-types/tines.asciidoc
@@ -0,0 +1,105 @@
[role="xpack"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @lcawl

cnasikas
cnasikas reviewed Nov 8, 2022
View reviewed changes
x-pack/plugins/stack_connectors/server/connector_types/security/tines/index.ts
secrets: TinesSecretsSchema,
},
validators: [{ type: ValidatorType.CONFIG, validator: urlAllowListValidator('url') }],
supportedFeatureIds: [SecurityConnectorFeatureId],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ymao1 Should not it show "Security solution"?

Screenshot 2022-11-08 at 7 52 21 PM

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we are showing the feature ID category now, which is either Alerting Rules or Cases. Since this is available for Security rules, that falls under Alerting Rules

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I was not aware of that. Thanks for clarifying!

cnasikas
cnasikas reviewed Nov 9, 2022
View reviewed changes
Copy link
Member

@cnasikas cnasikas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very good job with the connector @semd! I left some comments. I tested without any issues. I noticed that when the user first enters to the params form it show an error. This is a bit misleading because the user did not interact with the form yet. Other connectors do not show an error until the user interacts with the form.

Screenshot 2022-11-08 at 7 53 41 PM

Screenshot 2022-11-08 at 7 53 34 PM

x-pack/plugins/stack_connectors/server/connector_types/security/tines/tines.ts Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/server/connector_types/security/tines/tines.ts Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines_connector.tsx

const { emptyField, urlField } = fieldValidators;

const TinesActionConnectorFields: React.FunctionComponent<ActionConnectorFieldsProps> = ({
Copy link
Member

@cnasikas cnasikas Nov 9, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure it fits your needs but you can use the SimpleConnectorForm defined here x-pack/plugins/triggers_actions_ui/public/application/components/simple_connector_form.tsx. You can see an example here x-pack/plugins/stack_connectors/public/connector_types/cases/jira/jira_connectors.tsx

x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines_params.test.tsx Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines_params.tsx Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/server/connector_types/security/tines/tines.test.ts Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/server/connector_types/security/tines/tines.ts Outdated Show resolved Hide resolved
x-pack/plugins/triggers_actions_ui/public/application/hooks/use_sub_action.test.tsx Show resolved Hide resolved
x-pack/plugins/triggers_actions_ui/public/application/hooks/use_sub_action.tsx Show resolved Hide resolved
...g_api_integration/security_and_spaces/group2/tests/actions/connector_types/security/tines.ts
data: tinesWebhookSuccessResponse,
});
});
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should add a test for testing the test sub action.

@mikecote
Copy link
Contributor

mikecote commented Nov 9, 2022

FYI I just merged #144736 and this PR will require to add tines into the list within x-pack/test/alerting_api_integration/spaces_only/tests/actions/check_registered_connector_types.ts after pulling latest.

jonathan-buttner
jonathan-buttner reviewed Nov 9, 2022
View reviewed changes
Copy link
Contributor

@jonathan-buttner jonathan-buttner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a few questions. Tested the new changes and things look good though!

x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines.ts Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines.ts Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines.ts Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines_connector.test.tsx Show resolved Hide resolved
x-pack/plugins/stack_connectors/public/connector_types/security/tines/tines_params.tsx Show resolved Hide resolved
...erting_api_integration/common/fixtures/plugins/actions_simulators/server/tines_simulation.ts Show resolved Hide resolved
x-pack/test/functional/services/actions/tines.ts Show resolved Hide resolved
x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/connectors/tines.ts Outdated Show resolved Hide resolved
x-pack/test/functional_with_es_ssl/apps/triggers_actions_ui/connectors/tines.ts Outdated Show resolved Hide resolved
x-pack/plugins/stack_connectors/server/connector_types/security/tines/render.ts Outdated Show resolved Hide resolved
stephmilovic
stephmilovic approved these changes Nov 10, 2022
View reviewed changes
Copy link
Contributor

@stephmilovic stephmilovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the code and tested locally, all works as expected. This is a very interesting system, good job navigating it and writing this solution. Thanks @semd!

LGTM from Explore team!

YulNaumenko
YulNaumenko approved these changes Nov 10, 2022
View reviewed changes
Copy link
Contributor

@YulNaumenko YulNaumenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you a lot for such a great effort! Tested locally, connector works as described in the document. Code LGTM!

@semd
Copy link
Contributor Author

semd commented Nov 10, 2022

@elastic/mlr-docs could you please take a look?

jonathan-buttner
jonathan-buttner approved these changes Nov 10, 2022
View reviewed changes
Copy link
Contributor

@jonathan-buttner jonathan-buttner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work @semd !

x-pack/plugins/triggers_actions_ui/public/application/hooks/use_sub_action.test.tsx Outdated Show resolved Hide resolved
@semd
Copy link
Contributor Author

semd commented Nov 14, 2022

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

kibana-ci commented Nov 14, 2022
edited
Loading

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
stackConnectors 167 175 +8
triggersActionsUi 456 458 +2
total +10

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
triggersActionsUi 499 501 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
stackConnectors 380.5KB 411.5KB +31.1KB
triggersActionsUi 659.0KB 656.8KB -2.1KB
total +28.9KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
triggersActionsUi 50 51 +1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
stackConnectors 22.9KB 24.6KB +1.7KB
triggersActionsUi 101.8KB 103.7KB +2.0KB
total +3.7KB
Unknown metric groups

API count

id before after diff
triggersActionsUi 528 530 +2

async chunk count

id before after diff
stackConnectors 55 59 +4

ESLint disabled in files

id before after diff
osquery 1 2 +1

ESLint disabled line counts

id before after diff
enterpriseSearch 19 21 +2
fleet 59 65 +6
osquery 108 113 +5
securitySolution 441 447 +6
stackConnectors 74 78 +4
total +23

Total ESLint disabled count

id before after diff
enterpriseSearch 20 22 +2
fleet 67 73 +6
osquery 109 115 +6
securitySolution 518 524 +6
stackConnectors 78 82 +4
total +24

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @semd

@semd semd merged commit 6bba30f into elastic:main Nov 14, 2022
@nastasha-solomon nastasha-solomon mentioned this pull request Nov 14, 2022
Closed
@nastasha-solomon nastasha-solomon mentioned this pull request Jan 5, 2023
Closed
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymao1 ymao1 ymao1 left review comments

@cnasikas cnasikas cnasikas left review comments

@mikecote mikecote mikecote left review comments

@pmuellr pmuellr pmuellr left review comments

@jonathan-buttner jonathan-buttner jonathan-buttner approved these changes

@YulNaumenko YulNaumenko YulNaumenko approved these changes

@stephmilovic stephmilovic stephmilovic approved these changes

Assignees

@semd semd

Labels
backport:skip This commit does not require backporting ci:cloud-deploy Create or update a Cloud deployment Feature:Actions/ConnectorTypes Issues related to specific Connector Types on the Actions Framework release_note:feature Makes this part of the condensed release notes Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v8.6.0
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.